Documentation ¶
Index ¶
- func CreateSession(region string, role string, creds *credentials.Credentials, id string) (*session.Session, *aws.Config, error)
- type AWSCredentials
- type GCPCredentials
- type IAMMap
- type Identity
- func (id *Identity) CreateAWSSession() (map[string]interface{}, error)
- func (id *Identity) GetGCPSAFromVault(vaultClient *vaultclient.VaultClient) (map[string]interface{}, error)
- func (id *Identity) GetK8SSSAFromVault(vaultClient *vaultclient.VaultClient) (map[string]interface{}, error)
- func (id *Identity) Valid() bool
- func (id *Identity) ValidAWS() bool
- func (id *Identity) ValidGCP() bool
- func (id *Identity) ValidK8S() bool
- type K8SIdentity
- type ProviderName
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateSession ¶
func CreateSession(region string, role string, creds *credentials.Credentials, id string) (*session.Session, *aws.Config, error)
CreateSession creates a new session for the given role and credentials, tracking with the provided id
Types ¶
type AWSCredentials ¶
type AWSCredentials struct { AccessKeyId string `json:"AccessKeyId"` SecretAccessKey string `json:"SecretAccessKey"` SessionToken string `json:"SessionToken"` }
AWSCredentials contains the credentials and assumed role data
type GCPCredentials ¶
type GCPCredentials struct { AuthProviderX509CertURL string `json:"auth_provider_x509_cert_url"` AuthURI string `json:"auth_uri"` ClientEmail string `json:"client_email"` ClientID string `json:"client_id"` ClientX509CertURL string `json:"client_x509_cert_url"` PrivateKey string `json:"private_key"` PrivateKeyID string `json:"private_key_id"` ProjectID string `json:"project_id"` TokenURI string `json:"token_uri"` Type string `json:"type"` }
GCPCredentials is the structure of the GCP ServiceAccount credentials
func (*GCPCredentials) Validate ¶
func (c *GCPCredentials) Validate() error
Validate validates the GCP ServiceAccount credentials against the GCP Public Key
type IAMMap ¶
type IAMMap struct { Source Identity `json:"source" yaml:"source"` Target Identity `json:"target" yaml:"target"` RequestID string `json:"requestId"` }
IAMMap contains a single identity mapping and the corresponding request ID for audit log
func (*IAMMap) FindIDinMap ¶
FindIDinMap returns the IAMMap for the given source identity this assumes validation has already been performed and the Source identity has the right to assume the Target identity
func (*IAMMap) GetCredentials ¶
func (im *IAMMap) GetCredentials(vc *vaultclient.VaultClient) (map[string]interface{}, error)
GetCredentials returns the target credentials for the given source identity this performs no vlaidation and assumes the source identity has the right to assume the target identity
type Identity ¶
type Identity struct { ID string `json:"id" yaml:"id"` Provider ProviderName `json:"provider" yaml:"provider"` Region string `json:"region" yaml:"region"` Credentials map[string]interface{} `json:"credentials" yaml:"credentials"` RequestID string `json:"request_id" yaml:"-"` }
Identity contains a single identity
func (*Identity) CreateAWSSession ¶
CreateAWSSession creates a new session using the identity credentials
func (*Identity) GetGCPSAFromVault ¶
func (id *Identity) GetGCPSAFromVault(vaultClient *vaultclient.VaultClient) (map[string]interface{}, error)
GetGCPSAFromVault returns the GCP ServiceAccount credentials from Vault
func (*Identity) GetK8SSSAFromVault ¶
func (id *Identity) GetK8SSSAFromVault(vaultClient *vaultclient.VaultClient) (map[string]interface{}, error)
GetK8SSSAFromVault retrieves the configured k8s SSA from vault
type K8SIdentity ¶
type K8SIdentity struct { ClusterName string `json:"clusterName"` Namespace string `json:"namespace"` SA string `json:"sa"` JWT string `json:"jwt"` ClusterHost string `json:"clusterHost"` ClusterCA string `json:"clusterCA"` ValidationToken string `json:"validationToken"` }
K8SIdentity is the identity for a k8s cluster
func (*K8SIdentity) GetValidation ¶
func (k *K8SIdentity) GetValidation(cluster string, vaultClient *vaultclient.VaultClient) error
GetValidation retrieves the validateion SA token from vault
func (*K8SIdentity) Validate ¶
func (k *K8SIdentity) Validate() (*v1beta1.TokenReview, error)
Validate validates the k8s identity against the k8s api
type ProviderName ¶
type ProviderName string
ProviderName contains supported providers
const ( ProviderAWS ProviderName = "aws" ProviderGCP ProviderName = "gcp" ProviderAZR ProviderName = "azr" ProviderK8S ProviderName = "k8s" )